The present invention in certain example embodiments involves the selection and use of a content delivery network other than a default network selected by a content service provider, without modification to the content service provider's own service platform.
This application is one of three filed contemporaneously, each relating to embodiments that facilitate the operation of such services. The other two applications, filed on the same date as the present application, and claiming priority from the same three applications, are entitled “Network Terminal Validation” and “Data Retrieval Redirection”. These three disclosures may be used individually, or together as will be described in the specification.
The following terms are used in the specification with the meanings given here. Reference is made, for illustrative purposes, to the conventional system depicted in FIG. 1.
Access Service Network (12, FIG. 1)—a data communications network, through which a user terminal may be connected to other network nodes to retrieve data files
Authenticated Channel—a secure channel arranged to transfer data from a server to a client if and only if the server has been authenticated by the client e.g. one-way https. A Mutually Authenticated Channel is an Authenticated Channel where data can only be transferred if the Client and the Server have both authenticated each other, typically using X.509 certificates (e.g. https mutual).
Browser (13, FIG. 1)—An application operating on a user terminal which allows a user to select and access server applications at a remote source Client Player (14, FIG. 1)
An application, typically on a user terminal, for processing media files received from a data source and processing them for delivery to a user interface.
Client Proxy Configuration—a configuration in the User terminal to force it to send requests using specific Asset Locators via a Proxy Server such as a Redirection Server.
Content Delivery Network (CDN: 160, FIG. 1)—a distribution system able to deliver data files to user terminals on demand. (160, FIG. 1).
Content Distribution Provider—provider of a Content Delivery Network. Not necessarily associated with, or controlled by the Network Service Provider or Content Service Provider.
Content Service Provider—a provider of data for an original content server.
Device Identity—a unique device identifier, often taking the form of a certificate (and associated private key) that can be used by a server to authenticate the device. This may be burned into the device as part of the manufacturing process.
(Digital) signature—a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit. Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering.
Media Asset (280, FIG. 1)—a data file such as audio, video, html, for processing by a Player (Media) Asset Locator (22, 250 FIG. 1)—a data item comprising a unique identifier for a (media) asset, for example a URL or URI, (Universal Resopurce Locator/Identifier) typically comprising: a scheme (identifying a protocol such as http), a server location (such as an Internet domain) and an asset location on the server (such as a directory path and filename). The scheme may specify use of a secure connection e.g. https.
Media Selector—a system operated by a Content Service Provider that is used to determine an appropriate content delivery network and media asset locator for the purpose of delivering of a media asset to a specific user terminal.
Network Location—an identification or address of the device on a network, such as an IP address or hostname.
Network Service Provider—the provider or operator of an access service network
Original Content Server (16, FIG. 1)—server provided by, the Content Service Provider, from which data files are distributed either directly to users, or through a Content Delivery Network.
Proxy Server—a server that acts as an intermediary for requests from clients seeking resources from other servers. Examples include caching servers, load balancers, and redirection servers.
Public Key, Private Key—two complementary encryption keys (with associated algorithms) that allow the origin or destination of data to be confirmed. Data encrypted with one key can be decrypted with the other. The private key is only available to the user whose identity is to be confirmed, but the public key is made available to all users. This allows any users with the public key to confirm the origin of data encoded using the private key, and/or to ensure that data encoded using the public key can only be read by the holder of the private key.
Public key certificate (also known as a digital certificate or identity certificate)—an electronic document which uses a digital signature to bind a public key with information that identifies a person or an organization. The certificate can be used to verify that a public key belongs to an individual. The public key can be proved by a “challenge”—the challenger transmits a data message, encrypted using the public key, to the originator. This can only be decoded if the originator has the private key matching the public key. The originator then returns the decoded message to the challenger, which checks the decoded message it receives against the original message. The digital signature originates from a trusted 3rd party certification authority which can vouch for the authenticity of the certificate.
Redirection Server (18, FIG. 2)—a server that accepts requests including Asset Locators from a Client and responds with a redirection message containing a different Asset Locator to that originally requested. The Redirection Server uses a look-up table or specific rules to generate a new. Asset Locator for each Asset Locator provided by the Client. A “Secure Redirection Server” is a Redirection Server which will only receive requests via an Authenticated Channel
Signed Asset Locator—an asset locator that is securely restricted to consumption by a device with a known identity or network location and/or within an allowed time frame. The locator includes a constraint which is typically derived from data items such as: device identity, time, expiry time or time range, Asset Time Stamp, Asset Locator (e.g. uri), or source Network Location, and protected using a hash or encryption algorithm using a secret key to ensure it cannot be forged.
Time Stamp—an item of data indicating the time an asset was last created or modified, for example a time stamp is typically provided for each file managed by an Operating System or Filing System. In the present specification the time stamp is used to identify the period of validity of the asset, to prevent its use after that period has expired.
User Terminal (11, FIG. 1)—a device, such as a computer, handheld device or Set Top Box, typically in a customer's home, and used by the customer to retrieve data files from a remote source
Media assets are available from a wide range of different data hosts, and can be routed over various access service networks, under the control of different service providers, to a range of user terminals. In a typical arrangement, content is identified by an internet address (Universal Resource Identifier—“URI”). The format of the URI does not necessarily indicate the nature of the content, and so there is no reliable way for the network, or the user terminal, to identify the type of content from the URI alone.
The URI may be accompanied by a digital signature in order to confirm that the client making the request is authorized to access the content delivery network. Examples are described in United States Patent Application US2009/031368 and European Patent Application EP1278112.
A Content Service Provider often has relationships with one or more Content delivery networks, and uses a media selector to identify the best CDN and associated Media Asset Locator to serve a given user terminal. The use of a media selector enables a Content Service Provider to use a CDN without losing sight of the requests for its content, and to enforce timing constraints without having to rely on precise synchronisation with the CDN. In particular, television “catch-up” content is often made available for a limited period only, but this limitation is difficult to police if the content is also duplicated in Caches operated by CDNs. Content may also need to be withdrawn at short notice, for example if the information in the content becomes out of date, or subject to a legal injunction. The original content provider can replace the content with some other response, but the CDN might continue to make available its cached copies.
A Network Service Provider may have a preferred Content delivery network which can be used to deliver a range of benefits including: lower network cost, use of prioritized delivery over the network, exemption from any broadband usage limits, and transcoding of assets for delivery to different user terminal types.
It may be cheaper for a Network Service Provider to use their preferred CDN in place of the Content Service provider's default CDN. For example the CDN may locate streaming servers close to the edge of the network, so as to minimize the distance over which media needs to travel in order to reach the user terminal.
The Network Service Provider CDN may also enable video content to be identifiable so that it can be prioritized over other data in order to avoid, or minimize the possibility of, exhaustion of buffered content at the user end, resulting in interruption of the content being viewed.
Some media assets, particularly video streams, can require a relatively high bit rate over a relatively long period, and so can make up a significant proportion of any usage limit applicable to an Internet user's account. Some service providers allow content from an authorized source, such as the website of a television broadcaster, to be exempt from such usage limits, for example because such content is paid for in some other way, such as a subscription or advertising revenue. It is therefore desirable that such content be identifiable, and this can be facilitated though use of the Network Service provider's choice of CDN.
Although the same URI (Universal Resource Indicator) might be provided by a media selector to all user terminals requesting content, it is often desirable to deliver content that has been configured to be appropriate for the type of user terminal requesting the content, for example the appropriate video format, bit-rate, meta-data etc. In particular, where a content service provider does not provide explicit support for specific user terminal types, the service provider may wish to transcode media assets into appropriate formats before delivering them to the user terminal. This might be achievable via use of an appropriate CDN with transcoding capability.
The Network Service Provider may also wish to monitor and control access, so that it can provide services tailored to its own customers. For example it may charge for certain material, or restrict access, for example to prevent content unsuitable for children from being downloaded during times when they are likely to be using the service. It may also substitute some content, for example to provide advertising or news more relevant to the user's location than that provided in the original content. These capabilities can all be facilitated through use of the Network Service Provider's choice of CDN.
One known example, disclosed for example in United States Patent Application US2010/0218248, provides for requests directed to a CDN by way of one gateway to be diverted by that gateway to allow access to the same CDN by way of another gateway. However, there are many reasons why a Network Service provider may require its customers to use a CDN other than the default CDN nominated by the Content Service Provider.
One way to achieve this would be for providers of such content to respond to data requests from subscribers of an approved network service provider by routing the requested data through a dedicated service platform (170, FIG. 1) hosted by the network service provider, instead of the content distribution provider's own network 160 to which the user would otherwise be directed by the media selector 15. However, this requires modification to the content provider's media selector platform 15 to identify and authenticate users permitted to access the dedicated platform 170. This can, be difficult to achieve, especially if more than one network service provider and/or more than one content provider are involved.
This raises the question as to how a Network Service Provider might itself redirection requests that are targeted at the Content Service Provider's choice of CDN to its own choice of CDN.
Techniques for re-direction of requests via a proxy redirection server are known in the industry. However these can give rise to a number of security related challenges in the specific context under discussion. Specifically:                (i) the Network Service Provider may wish to strengthen the security used in relation to signed media asset locators, so that customers do not gain illegitimate access to benefits (such as network prioritisation or usage volume exemption) for other data assets. Where a network service provider uses Carrier Grade NAT (network address translation), the network service provider may require a solution for signing media asset locators using the user terminal network address where the user terminal's public address seen by the content service provider is not the same as the private address seen by the network service provider's CDN,        (ii) the content service provider would not want its own signed media asset locators to be compromised by a rogue user terminal using the proxy redirection server,        (iii) if the content service provider specifies https for media delivery, then this requires special treatment to enable use of a redirection proxy, and        
Failure to address security concerns related to such re-direction could allow rogue users and/or devices to make use of network prioritisation facilities in the broadband access network to which they are not entitled, or to gain exemption from broadband usage policies to which they are not entitled, or to gain access to content to which they are not entitled.
Furthermore, standard re-direction techniques cannot be used where a content service provider media selector has responded with a media asset locator that is based on a secure scheme such as https. In such a situation, the proxy redirection would not normally be able to see the contents of the request, and to return an appropriate redirection response.
Some network providers have accommodated the current shortage of IPv4 addresses by consolidating several user addresses under the same public network address, allocating separate private addresses to the individual users—known as Carrier Grade Network Address Translation (CG-NAT). It is thus not always possible for a content delivery provider external to the network to distinguish and authenticate requests from individual users, as they may share the same public address. The external content delivery service can only determine whether it should deliver data to the public address, and cannot distinguish between users sharing that address. This makes it impossible for the content service provider's CDN to employ signed media asset locators based on network addresses, and means that URI's could be passed on to enable access by users not entitled to such access.
The present invention in certain example embodiments provides features of an alternative system which overcomes some of these difficulties whilst requiring no modification to the content provider's operating system. The embodiments of the applicant's co-pending applications, entitled “Network Terminal Validation” and “Data Retrieval Redirection” filed contemporaneously with the present application, provide further features which may also be used in co-operation with certain example embodiments of the present invention.
It is known to use a “proxy” configuration in which data messages, for example, content requests, addressed to one Internet address are sent to a proxy server. This allows the existence or characteristics of an origin server to be hidden, and can be useful for load balancing, termination on secure networks (behind a firewall), mobility, server-based decryption (SSL termination) etc. The proxy can be used, for example, to allow authentication of a user, in order to grant permission to access certain data, effectively acting as a trusted intermediary. A conventional proxy appears to a user terminal to stand in the place of the requested data source. Conversely, a “reverse proxy” appears to the data source to stand in the place of the actual requesting user terminal.
In particular it is also known to use a “redirection proxy” configuration in which content requests, addressed to a content delivery network are re-directed to another content delivery network by a proxy redirection server. Such a system is known from “Building Robust Network Services Through Efficient Resource Management” (Limin Wang, PhD dissertation, Princeton University, Nov. 2003) However, the system proposed therein would allow unlimited access to the second content delivery network. In particular, the proxy could be used by a rogue client to turn a URI with an expired/faked signature into a new URI with a valid signature. The URI could also be forwarded by one user to another, for whose use it was not intended, thus allowing multiple accessions of the second content delivery network by users not authorized to use it, and without the primary data supplier being aware of such accessions.
According to our co-pending application entitled “Network Terminal Validation”, there is provided a method of operating a media asset location request redirection system to cause a user terminal to redirection first media asset location data relating to a first content delivery network such that the media asset location request is directed to a second content delivery platform, in which the request is directed to a proxy redirection server which translates the first media asset location data into second media asset location data relating to the second content delivery network, and use of the proxy redirection is controlled by an authentication process, in which the user terminal transmits a certificate to the proxy redirection and the proxy performs an authentication process to determine whether to accept the request for a media asset location. A further aspect of the invention provides a proxy redirection server for converting a first media asset location in a data request to a second media asset location according to a concordance, the redirection server being arranged to receive an authentication certificate with the data request, and comprising an authentication processor for checking the authentication certificate for its validity, and a response generator controlled by the authentication processor, for generating a response to the data request, including the second media asset location, if the validity check is successful. In a preferred arrangement, the response generator has means to generate a time stamp and expiry time as part of the response; indicative of the time the response to the data request is generated. Preferably, the response generator is responsive to device-specific data received in the data request to retrieve a media asset location selected according to the device-specific data.
In a complementary aspect, the co-pending invention provides a user terminal configured to cause a first media asset location associated with a first content delivery network to be converted to a second media asset location associated with a second content delivery network, under the control of a proxy redirection server, the user terminal being configured such that a request identifying a first media asset location is redirected to the proxy redirection server, and to receive an instruction to generate a request identifying a second media asset location in the second content delivery network, the device being arranged to transmit an authentication certificate to the proxy redirection server for validation prior to sending the request. This arrangement allows the service provider to maintain control of the provision of the redirection service to authorized user terminals. This invention in certain example embodiments therefore protects against use of the proxy redirection server as a way of bypassing validation of signatures provided e.g. using the processes described in U.S. Pat. No. 5,805,803 and EP1278112. By use of a mutually authenticated SSL (secure sockets layer) or TLS (transport layer security) connection between the user terminal and the redirection server, it can be ensured that the redirection server only accepts requests from genuine user terminals that are known to be trusted.
The user terminal may have the necessary certificate, and/or the control data for causing the processor to be configured according to certain example embodiments of the invention to operate this way installed on initial manufacture. Alternatively it may be installed subsequent to manufacture by providing a downloadable data file on a medium such as a computer disc, or secure download from another computer or over the data communications network itself. The user terminal is configured so that only URI's delivered from the proxy can be forwarded to the second CDN. This provides a secure means of enabling a media URL generated by a content service provider to be used in a different manner to that originally intended by the content service provider, as long as it is supplied via a user terminal that is trusted by the content service provider.
The user terminal has installed in its operating system a data file including an authentication certificate file, and operating instructions to configure the user terminal to operate accordingly. The co-pending application in certain example embodiments causes re-direction of a media request, initially addressed to a first content delivery network, so as to be redirected to a second content delivery network, in which use of a proxy server is controlled by a request redirection process, and the proxy performs a mutual authentication process with the user terminal to ensure that it is only accessible via legitimate trusted user terminals which are known to be secure. The proxy generates a new media asset locator pointing at the second content delivery network, derived from the initial media access location; and can also be used to increase the strength of any access constraints e.g. to identify the accession attempt as coming from an authorized user.
According to our other co-pending application, entitled “Data Retrieval Redirection” there is provided a method of operating an asset location request redirection system in which a user terminal redirects first asset location data relating to a first content delivery network to a redirection server which generates second asset location data such that the asset location request is directed to a second content delivery network, wherein the redirection server, on receiving the first media asset location request data generates a signed second asset location for transmission to the second content delivery network, and the second content delivery network uses data in the signed second asset location to determine whether the asset location request is to be met.
Another aspect of that invention provides a redirection server having a receiver for receiving first media asset location request data from a user terminal, a redirection processor for generating a second asset location, and a transmitter for transmitting the second asset location to the user terminal, wherein the redirection server comprises an authentication processor to generate a signature for inclusion with the asset location.
The co-pending application allows a request for media to be securely re-directed, such that any access restrictions applied to the original media are preserved, and can additionally be strengthened as required by the network service provider. This invention in certain example embodiments protects against use of the redirection server as a way of bypassing validation of signatures provided e.g. using the processes described in U.S. Pat. No. 5,805,803 and EP1278112. By use of a mutually authenticated SSL (secure sockets layer) or TLS (transport layer security) connection, it can be ensured that the second content delivery server only accepts valid requests, signed by the redirection server, and cannot be compromised by any action taken at the user terminal. The asset location request may be passed from the redirect server by way of the user's client player, but the user is not given the necessary information to read the request, or generate a request which can be accepted by the second content delivery server.
The co-pending application also enables the use of IP signatures in a Carrier Grade NAT environment where the public IP address seen by the content provider is different from the private IP address seen by the Internet Service Provider's CDN. The signed asset location may include a timestamp to determine an expiry period (or start/end time range) for the media asset location request, and an address identifying a legitimate user terminal, to confirm that the request has not been stored or transferred to another user terminal. The media asset location data generated by the proxy redirection server may include device-specific data configured according to the user terminal from which the request for data is received. The signed second asset location may include an address restriction specifying a network address from which the asset may be accessed. This allows the second content delivery network to confirm that the request has not been stored or transferred to another user terminal.
This enables a strengthening of the access restrictions associated with the asset, and protecting the interests of the network service provider over which the media asset is to be retrieved, as well as the interests of the content service provider which issued the original asset location.
The co-pending application therefore ensures that any media asset location sent to the second content delivery network as a result of the redirection request cannot be used to access expired material remaining in the second content delivery platform. In the preferred embodiment, the user terminal has a Client Proxy Configuration installed, to redirect requests to the secure proxy server in response to requests for data from specified media servers. Following a request for data from an internet address (universal resource locator—URI) associated with the first CDN, the secure proxy constructs a new URI and signature that is appropriate for the second CDN, and sends this back to the client via a redirection response, containing a signed URI, for example, an HTTP redirection response. The user terminal then uses this URI and signature, to access the required data from the second media server. The secure proxy only accepts requests from trusted authenticated clients, so it is not possible for a rogue client to use the proxy to bypass the original media server's URI signature. The proxy can be used to enhance the service, for example by increasing the strength of the signature e.g. from time-bound only, to add a requirement for a client IP, and can also be used to enable use of IP signatures in a Carrier Grade NAT (network address translation) environment, as will be described later.
Many Content Service Providers operate media selectors which return a URI based on a secure scheme, such as https. Conventional user terminal software handles secure data that is to be transmitted to a proxy server by attempting to set up a secure tunnel to the specified location via the proxy, so that only the user and the specified location have access to the secure data, and it is not visible to the proxy server itself (See FIG. 10, tunnel 181). However, such an arrangement would not be suitable if the proxy is required to process media asset location requests and issue re-direct responses, as the secure connection would prevent the proxy redirect server from reading the media asset request, or doing anything with it other than forward it to the specified URI.
This problem may be avoided by configuring the user terminal software according to certain example embodiments of the present invention, in which a communications terminal having a message compiler for transmitting data to predetermined addresses, having a secure connection means for transmitting data having a secure data location address to set up a secure tunnel to the address, and characterized in having a discriminator for identifying media access location data identifying a pre-defined set of known media servers, and second connection means for transmitting media access location data addressed to a secure location server specified by the media access locator, by way of a proxy, without setting up a tunnel whereby secure media access locators are passed to the proxy over a connection between the user terminal and the proxy for redirection by the proxy server.
In another aspect the invention provides a method for routing data messages having secure data location addresses wherein data having a secure data location address, other than media access locators, are transmitted from a user terminal by way of a proxy server by setting up a secure tunnel, by way of the proxy, to a server specified by the media access locator, and characterized in that secure media access locators identifying a pre-defined set of known media servers are passed to a proxy server over a connection between the user terminal and the proxy such that the proxy server may generate a redirected media access locator for return to the user terminal.
The connection between the user terminal and the redirection server may be provided by a mutually authenticated connection. The user terminal may be configured by transmitting a downloadable data file to the device for installation on the device, the downloadable data file including operating instructions to configure the device to operate according to certain example embodiments of the invention. As indicated above, the connection between the user terminal and the redirection server may itself be a mutually authenticated connection.